GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-17 18:13:33 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12 rev. Running: 76jczxxi.exe; Driver: C:\DOCUME~1\SAFECZ~1\USTAWI~1\Temp\pgtdypow.sys ---- System - GMER 1.0.15 ---- Code B8751C9C ZwRequestPort Code B8751D3C ZwRequestWaitReplyPort Code B8751BFC ZwTraceEvent Code B8751C9B NtRequestPort Code B8751D3B NtRequestWaitReplyPort Code B8751BFB NtTraceEvent ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!NtTraceEvent 8053516E 5 Bytes JMP B8751C00 PAGE ntkrnlpa.exe!NtRequestPort 805A2A52 5 Bytes JMP B8751CA0 PAGE ntkrnlpa.exe!NtRequestWaitReplyPort 805A2D7E 5 Bytes JMP B8751D40 .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB7026000, 0x235F87, 0xE8000020] .text win32k.sys!EngAcquireSemaphore + 20F0 BF8082F4 5 Bytes JMP B8751480 .text win32k.sys!EngFreeUserMem + 5BD7 BF80EE80 5 Bytes JMP B87513E0 .text win32k.sys!EngSetLastError + 79AA BF8240ED 5 Bytes JMP B87515C0 .text win32k.sys!FONTOBJ_pxoGetXform + 84ED BF851765 2 Bytes JMP B8751A20 .text win32k.sys!FONTOBJ_pxoGetXform + 84F0 BF851768 2 Bytes [F0, F8] .text win32k.sys!XLATEOBJ_iXlate + 2EDD BF85DC50 5 Bytes JMP B8751520 .text win32k.sys!EngCreatePalette + 8A BF85F5F2 5 Bytes JMP B87518E0 .text win32k.sys!EngCopyBits + 1409 BF899DCD 5 Bytes JMP B8751700 .text win32k.sys!EngCopyBits + 4DF9 BF89D7BD 5 Bytes JMP B8751660 .text win32k.sys!EngEraseSurface + A9E8 BF8C1D00 5 Bytes JMP B87517A0 .text win32k.sys!EngDeleteSemaphore + 3B35 BF8EBDCE 5 Bytes JMP B8751980 .text win32k.sys!EngCreateClip + 1A2F BF9142F4 5 Bytes JMP B8751AC0 .text win32k.sys!EngCreateClip + 1FBF BF914884 5 Bytes JMP B8751B60 .text win32k.sys!EngCreateClip + 2605 BF914ECA 5 Bytes JMP B8751840 .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA246A300, 0x3AF78, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB83D8300, 0x1BCE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[3300] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 7E2A54ED C:\WINDOWS\system32\SHDOCVW.dll (Biblioteka powłoki obiektów DocObject i formantów/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\Disk \Device\Harddisk0\DR0 896F2A0A ---- Processes - GMER 1.0.15 ---- Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3300 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x1A 0x78 0x70 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0xE9 0x50 0xA1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0xE3 0x64 0x40 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x15 0xFA 0xB7 0x14 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0C 0x12 0x80 0xF6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x1A 0x78 0x70 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0xE9 0x50 0xA1 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 Whistler@MBR code has been found <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\9XF280CM\st[5] 0 bytes File C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FPHRAB3M\st[5] 4500 bytes File C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FPHRAB3M\24094-9[8].js 1685 bytes File C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FPHRAB3M\moocow_exchange_2_uk[2].php%3Faff_id%3D1890 0 bytes File C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FPHRAB3M\dref=http%253A%252F%252Fad.globe7[2].com%252Fst%253Fad_type%253Diframe%2526ad_size%253D160x600%2526section%253D2796686 468 bytes File C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FPHRAB3M\e0edc6327df385f439c1939dfa4ed627[2].xml 1040 bytes File C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FPHRAB3M\imp[1].php%3Faff_id%3D1890&r=0&SIG=10vi4hdg3;x-cookie=61tfi1u82fgtw&o=3&f=h1 408 bytes File C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FPHRAB3M\imp[1].php%3Faff_id%3D1890&r=0&SIG=10vv0rh5n;x-cookie=32copxc82fgtw&o=3&f=7z 701 bytes ---- EOF - GMER 1.0.15 ----